Monday, March 21, 2011

In most situations, you will enable shadow passwords and SHA512 passwords (as selected by default) to authenticate users who log in to your computer from local passwd and shadow password files. To change that behavior, you can select the Use Network Login button during the Create User setup during Firstboot.

The shadow password file prevents access to encrypted passwords. SHA512 is an algorithm used to encrypt passwords in Linux and other UNIX systems. It replaces an algorithm called crypt, which was used with early UNIX systems. When you enable SHA512 passwords, your users can have longer passwords that are harder to break than those encrypted with crypt. You can also use MD5 or SHA256 for encrypting passwords, although these methods are less secure.

If you are on a network that supports one of several different forms of network-wide authentication, you may choose one of the following features (on the Authentication tab):

• Enable Kerberos Support — Tick this check box to enable network authentication services available through Kerberos. After enabling Kerberos, you can add information about a Kerberos Realm (a group of Kerberos servers and clients), KDC (a computer that issues Kerberos tickets), and Admin server (a server running the Kerberos kadmind daemon).

• Enable LDAP Support — If your organization gathers information about users, you can tick this check box to search for authentication information in an LDAP server. You can enter the LDAP Server name and optionally an LDAP distinguished name to look up the user information your system needs.

• Enable Smart Card Support — Tick this check box to allow users to log in using a certificate and key associated with a smart card.

In addition to the services just mentioned, you can also select from various ways of gathering distributed user information, if any of these methods are supported on your network.

• Configure Hesiod — If your organization uses Hesiod for holding user and group information in DNS, you can add the LHS (domain prefix) and RHS (Hesiod default domain) to use for doing Hesiod queries.

• Configure NIS — Select this button and type the NIS domain name and NIS server location if your network is configured to use the Network Information System (NIS). Instead of selecting an NIS Server, you can select the check box to broadcast to find the server on your network.